Cybersecurity is a key topic for the PZU Group, given its growing importance in the financial and insurance sectors. Proper system security is not only a regulatory necessity but also a foundation of trust for clients and investors.

Considering cybersecurity as one of the additional topics was preceded by a detailed materiality assessment in the context of PZU Group’s activities. The results of this analysis clearly indicated that this topic is not only material but also insufficiently covered by the current ESRS disclosure requirements.

As a result, in terms of double materiality assessment, the PZU Group identifies cybersecurity as an issue that has a real and potentially positive impact on its own operations. Due to the PZU Group’s advanced cybersecurity management systems and comprehensive procedures, we identify a positive impact on the cybersecurity sector as a whole, through the rising competence of the entire market. At the same time, the topic itself may carry potential risks for our own operations. The PZU Group is aware of the risks posed by cyber threats, which can affect the security of customer data as well as overall operational stability.

Cybersecurity policies

The PZU Group and its subsidiaries have regulations concerning cybersecurity, data protection, and IT risk management. The adopted policies aim to align the organization with changing market conditions, regulatory requirements, and the rapidly evolving landscape of digital threats.

The PZU Group has implemented a series of measures to ensure digital resilience and IT system continuity, enabling effective security incident management and maintaining the stability of its digital infrastructure.

Below, the PZU Group provides a detailed description of its key cybersecurity policies*

The „Security policy of PZU SA and PZU Życie SA”, along with internal regulations and decisions issued for its implementation, is a comprehensive and detailed regulation covering the following areas:

  • information security
  • crime prevention
  • anti-money laundering and counter-terrorist financing
  • business continuity
  • IT system security
  • physical security and workplace health and safety.

The directors of the relevant departments responsible for the areas mentioned above annually submit to the Management Board, in the second quarter, a report on the assessment of the level of security threats for the previous calendar year. In the area of IT system security, the Director of the Cybersecurity Office is responsible for submitting the report.

Based on the report, the PZU Management Board may mandate the responsible organizational units to undertake initiatives focused reducing the PZU and PZU Życie’s security risk. The recipients of the Policy are the Management Boards of PZU and PZU Życie.

This policy applies to PZU and PZU Życie employees, as well as external entities cooperating with PZU and PZU Życie under contracts and agreements.

The policy also sets unified security standards for other PZU Group companies (excluding Bank Pekao and Alior Bank), which participate in achieving operational security targets using shared security standards. To ensure effective cooperation in the area of security within the PZU Group and proper security management at subsidiary companies (excluding Bank Pekao and Alior Bank), the „Security management policy in the PZU Group” has been implemented.

The Information Security Policy at Bank Pekao establishes general principles and rules for information security and serves as an extension of the Bank Pekao Information and Communication Technology Security Strategy and is the primary document in this area. The policy is further detailed through information security documents, which specify how to implement individual principles and rules. The Bank Security Center is responsible for updating the Information Security Policy.

The Information Security Policy considers the interests of key stakeholders, including the protection of client information and transaction security as well as rules of conduct for bank employees, regardless of their role and for third parties.

The Information Security Policy defines management methods and security requirements necessary to ensure the proper protection of information within the bank. It has been adopted by the Management Board of Bank Pekao and published in accordance with the bank’s procedures. To clarify how the policy’s principles and rules should be implemented, the Director of the Bank Security Center prepares and issues information security documents. Information about the publication of a security document or any changes made to it are communicated internally to relevant groups of recipients. Anyone with access to the bank’s information systems is required to familiarize themselves with the provisions of the Information Security Policy and security documents and comply with them strictly. The policy also applies to third parties involved in processing the bank’s information.

The Information and Communication Technology Security Strategy at Bank Pekao defines the principles on which the Information Security Policy and other documents strictly related to information security within the bank are based. The highest unit responsible for implementing the strategy is the Bank Security Center. The strategy was developed in compliance with applicable laws and supervisory authority recommendations. The documents derived from this strategy cover information security, including electronic information protection, aiming to safeguard the interests of the bank, its clients, and employees. The strategy was adopted and published in accordance with the bank’s internal procedures.

The Information and Communication Technology Systems Security Policy at Alior Bank defines the structure and fundamental principles of the ICT Security Management System in the bank, including procedures and standards for information protection, adapting to dynamic market changes and new regulatory requirements. The policy covers both cybersecurity and the security of information processed within the bank.

The bank complies with applicable regulations, including requirements arising from its role as an operator of key services, in accordance with the Act on the National Cybersecurity System (which implements the NIS Directive and is based on the Polish Standard PN-EN ISO/IEC 27001). During the policy development and update process, the interests of customers and regulators are considered in collaboration with the Banking Cybersecurity Center of Polish Bank Association (ZBP) and participates in initiatives such as the Payment Transaction Security Forum and the Threat Intelligence Forum.

* If the highest function responsible for implementing the policy is not explicitly indicated in the policy description, it is to be assumed that the Management Board of the respective entity is responsible for its implementation

Processes carried out within the scope of activities to maintain and improve cybersecurity

Based on previously established policies and procedures, the PZU Group carries out a range of processes aimed at enhancing cybersecurity. These include threat protection and monitoring, integrated security systems with inter-unit cooperation, specialized procedures in subsidiaries, and a general monitoring and reporting system. These processes are detailed below.

The PZU Group strives to maintain the highest level of protection against cyber threats by implementing modern technologies, threat monitoring, and systematically raising employee awareness. Strictly controlled procedures, audits, and cooperation with external entities ensure effective protection against cyberattacks and safeguard data and resources within the PZU Group.

In the PZU Group (excluding Bank Pekao and Alior Bank), an advanced cybersecurity management system is in place, covering continuous monitoring, testing, and the implementation of solutions to protect against cyber threats. These activities are conducted within the “Security Operations Center”, which provides ongoing oversight of IT security.

Key Security Operations Center processes include:

  • monitoring and analyzing IT infrastructure events using SIEM systems („Security Information and Event Management”)
  • vulnerability assessment and cybersecurity risk management through automated IT infrastructure scanning
  • conducting penetration tests, source code audits, and IT system reviews
  • network access control and cyber threat monitoring
  • proactively recommending solutions to minimize risk and prevent incidents.
  • reporting on cybersecurity status to the management board and relevant supervisory authorities.

As part of its ongoing processes, the PZU Group (excluding Bank Pekao and Alior Bank) has introduced comprehensive cybersecurity management principles, which include:

  • regulatory reviews – annual internal procedure and policy audits to ensure compliance with applicable laws and supervisory guidelines
  • training and educational campaigns – systematic employee awareness enhancement through training, hacker attack simulations, and internal cybersecurity information portals
  • incident management system – monitoring potential breaches, rapid incident response, and close collaboration with regulatory authorities and investigative units
  • audits and compliance testing – regular internal and external inspections to ensure high-quality cybersecurity management.
  • Bank Pekao has dedicated cybersecurity units responsible for monitoring and analyzing the IT environment. The bank has implemented security systems in compliance with the Financial Supervision Authority’s (KNF) requirements, including an incident response plan and advanced threat detection mechanisms
  • Alior Bank employs risk assessment tools, an early warning system against cyberattacks, and continuous reporting on cybersecurity status to the Management Board.

The processes described in the previous section constitute a key part of the PZU Group’s approach to cybersecurity. Another essential aspect involves the actions and resources dedicated to managing material impacts, risks, and opportunities. These activities included thematic training for employees, both onboarding and refresher courses, covering key topics related to data protection, cybersecurity, and crime prevention. The PZU Group places particular emphasis on raising employee awareness through educational campaigns and expert meetings focused on information security and emerging threats, such as disinformation. In 2024, internal informational materials were published on the intranet, and experts conducted regular online sessions.

In addition to educational initiatives, the PZU Group invests in the development and modernization of its IT security systems. Regular audits and vulnerability tests enable PZU Group to identify and eliminate threats at an early stage. Cybersecurity remains a critical component of the Group’s strategy, encompassing both central structures and individual subsidiaries.

As part of the PZU Group, a significant role is also played by the actions undertaken by its banking entities, Pekao and Alior, which focus on protecting IT systems and educating both employees and clients.

In 2024, Bank Pekao implemented its cybersecurity strategy, emphasizing the enhancement of resilience to cyber threats in the bank’s ICT environment, increasing the level of protection for information processed by the bank, and promoting knowledge and best practices for improving the security of systems and stored data. The bank introduced new technological solutions, conducted educational campaigns, and engaged in both internal and external communication regarding cyber threats (e.g., through the bank’s website, social media, mobile app notifications, radio broadcasts, and webinars). Bank Pekao organized or co-organized cybersecurity-related events, such as the #CYBERczujni campaign and the cyberPEKAO educational program, through which employees participated in training sessions while clients had access to webinars and educational materials on cybersecurity. The bank also collaborates with the CyberDefence24 portal, which covers cybersecurity issues and hosts a dedicated section prepared by the bank. Furthermore, Bank Pekao actively participates in educational and informational initiatives on cybersecurity organized by the Polish Bank Association.

Alior Bank conducted regular tests on key IT systems responsible for processing customer data and handling financial transactions. Both manual tests and quarterly automated vulnerability scans allowed for the continuous identification and elimination of system weaknesses. The bank has a dedicated team for 24/7 security monitoring of customer data and transactions, analyzing emerging threats and adjusting security measures accordingly. In 2024, Alior Bank employees participated in cybersecurity trainings and their knowledge was periodically assessed through regular phishing simulations. For clients and end-users, the bank ran awareness campaigns throughout 2024, promoting security and providing updates on current threats via its website, social media channels, mobile application, and the dedicated Phishing-Stop website. Additionally, Alior Bank collaborates with the Polish Bank Association and engages in large-scale educational initiatives.

The PZU Group is committed to ensuring the highest level of protection against digital threats. There are a number of internal cyber security targets. Metrics such as the number of cyber-attacks conducted and blocked are not disclosed.

Given their impact on business security, the PZU Group has decided to disclose only the general nature of the objectives of its operations:

  • minimizing the risk of cyberattacks and ensuring the effective protection of data, applications, and systems from unauthorized access
  • mitigating broadly defined cybersecurity risks, including the loss of confidentiality, integrity, and availability of information
  • optimizing cost and operational efficiency of security systems and tools
  • enhancing customer data protection, strengthening safeguards against unauthorized use.

Further development and future plans

In 2025, the PZU Group plans to further strengthen its cybersecurity framework by implementing measures to protect against the increasing threats in the digital landscape. On January 17, 2025, PZU and PZU Życie successfully aligned with the requirements of the Digital Operational Resilience Act (DORA) for the financial sector.

Education remains a key pillar in the Group’s cybersecurity advancement activities. Employees will have access to onboarding and refresher training, enabling them to better understand new responsibilities arising from sanctions policies and cybersecurity threats they may encounter in their daily work. Educational campaigns will provide essential knowledge, while materials published on the PZU intranet will serve as an additional resource to enhance awareness of IT security.

Furthermore, the PZU Group plans to organize online sessions featuring both internal and external experts, who will share insights on social engineering threats and disinformation. Through these initiatives, employees and clients will be better equipped to identify potential attacks and enhance their protection against cyber threats.

Previous topic
Corporate culture and business conduct policies and corporate culture
Next topic
Basis for statement preparation